[sandov]

Noob question, if a.com gets a certificate, then b.a.com can use the same cert, right? As in the example of the fb impostor in 000webhost.

So, in that same vein, can a TLD get a certificate? For example, com gets a certificate, so now anything.com has a valid certificate. Also, can I issue a cert specifically for d.c.b.a.com?

[tialaramex]

In the Web PKI, which is what you care about:

A certificate can have an effectively unlimited (CAs impose an arbitrary limit like 100, nobody is sure the maximum that could work) number of names listed (the subscriber will have to achieve proof of control for all these names to get the cert).

Each name can either be an exact fully qualified domain name, and will match only that single name, or it can be a "wildcard" like *.example.com which matches any DNS name with exactly one label (a part with no dots in, essentially) where the asterisk is and the rest an exact match.

Thus, a wildcard in com, even if it could exist (it is forbidden to issue such a thing) would not match service.example.com only the exact name example.com itself.

[dbdjfjrjvebd]

In short no.

a.com does not match b.a.com

Only if the certificate is *.a.com does it match b.a.com

b.a.com can have its own certificate.

[ecesena]

Yes, you can have a single certificate for both a.com and b.a.com. You can also have it for a.com and <star>.a.com.

No, you can't get <star>.com. Typically, at least for known root CAs, you have to prove ownership of your top level domain. If you own a.com, they'll ask you to either put a file on a.com/random, or register random.a.com. If you try to do so with .com, you'll likely fail (but please feel free to try and prove me wrong!).

Yes, you can get a certificate for d.c.b.a.com, I don't see any reason why not if you own a.com. Unless your specific root CA has constrains on the depth of the domains.

Edit: replaced '*' with <star>